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Bit retrieval, the problem of determining a binary sequence from its cyclic auto- 
correlation, is a special case of the phase retrieval problem. Algorithms for phase 
retrieval are extensively used in several scientific disciplines, and yet, very little is 
known about the complexity of these algorithms or phase retrieval in general. Here 
we show that bit retrieval, in particular, is closely related to computations that arise 
in algebraic number theory and can also be formulated as an integer program. We 
find that general purpose algorithms from these fields, when applied to bit retrieval, 
are outperformed by a particular iterative phase retrieval algorithm. This algorithm 
still has exponential complexity and motivates us to propose a new public key sig- 
nature scheme based on the intractability of bit retrieval, and image watermarking 
as a possible application. 

Keywords: phase retrieval, lattice basis reduction, LLL algorithm, subset sum problem, vector quantization, 
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1 Introduction 



Phase retrieval is the general problem of reconstructing a finitely sampled signal (or density in higher 
dimensions) from its autocorrelation. Since knowledge of the autocorrelation is equivalent to knowledge of 
the signal's Fourier transform modulus, phase retrieval is fundamentally underdetermined without additional 
information to constrain the Fourier transform phases. These constraints usually take the form of a priori 
information: the signal may be known to have a particular support or distribution of values. Bit retrieval 
is perhaps the simplest instance of phase retrieval, where the signal is periodic and known to take only 
two values. Choosing without loss of generality these values to be and 1, bit retrieval seeks to find a 
binary sequence having a prescribed cyclic autocorrelation. For example, given the autocorrelation sequence 
a = [5, 2, 1, 3, 3, 2, 3, 3, 1, 2], one solution is the binary sequence (3 = [1, 0, 0, 1, 1, 0, 0, 1, 0, 1]. 

The computational complexity of bit retrieval is largely unexplored. Zwick et al. [Zw] made the first study 
and were able to solve sequences up to lengths N = 64. There is a close relationship between bit retrieval 



1 



and the problem of factoring in rings of algebraic integers, specifically, the integers of the cyclotomic field 
of Nth roots of unity. It is also possible to formulate bit retrieval as an integer program. While both of 
these subjects, algebraic number theory and integer programming, have experienced significant algorithm 
development in recent years, the fastest known bit retrieval algorithm still follows the principles devel- 
oped in the study of phase retrieval. As described below, this algorithm has an empirically determined 
average-case complexity of 2 cN , with c 0.22. A point of comparison is the fact that an ordinary inte- 
ger with two large factors of order 2 N can be factored with subexponential time complexity, specifically, 
exp [(log A r ) 1 / 3 (clog log N) 2 / 3 ], where c = 8/3 [LL]. The latter problem is still considered intractable and 
forms the basis of public key cryptosystems [RSA]. Can the apparent intractability of bit retrieval be ex- 
ploited likewise? This paper reports on a public key signature scheme as a partial response to this challenge. 
An application that appears to be well suited to this scheme is image watermarking. 



2 Notation and terminology 



We restrict our study to sequences of length N, where iV is an odd prime, typically greater than 200 in 
the applications we propose. The autocorrelation of sequences of real numbers, and more generally their 
convolution product, corresponds to the standard product in the polynomial ring M[x]. Cyclic convolutions 
correspond to the quotient ring R := M[x]/(x N — 1), and cyclic integer sequences form the subring Z := 
Ij[x]/(x n — 1). Also of interest are the quotient rings i?/($j\r) an d O := Z/{<$>n), where $n(x) := 
x N-i _|_ . . . _|_ x _|_ i j s t ^ e ^th cyclotomic polynomial. Since $>n(x) is the irreducible polynomial of 
C := exp (i2tv/N), O is isomorphic to Z[£], the ring of integers of the cyclotomic field of Nth roots of 
unity. We denote both quotient maps by the symbol The rational integers are the subring ZcO. 

In computations, elements of the rings R, Z and O are represented by their components with respect to a 
standard basis. We will use the following choice of basis elements: 

R,Z : l,x,...,x N ~ l (1) 
O : C,--.,^ 1 (2) 

The ith component of an element a G R is denoted [a]i, where a = X^o 1 [ a ]i xl > an d similarly for elements 
of Z and O. 



Our bases also allow us to define the binary elements. We say (3r G R is binary if = ±5 for all 
< i < N — 1 and ^((3r) 7^ 0. This embedding is geometrically more natural than that given in the 
introduction. There are exactly 2^ — 2 binary elements in R and each has a distinct binary counterpart 

Po = *(Pr) in O: 



\Po] 



\Pr] 



+ 



if \Pr]o < 
if [/3b] > 0. 



1< i < N- 1 



(3) 



The automorphisms of O are given by the N— 1 conjugate maps defined by o,j (Q := with 1 < j < N — 1. 
The collection of these maps is closely related to the Fourier transform. Referring the action of o~j on a G O 
to the basis ®, 

k=l 
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we see that a := [o~i, . . . , <7jv-i] can be inteipreted as a linear map O -> C^- 1 . Since E^C^ = 
for all 1 < j < iV — 1, a is also well denned when applied to elements of R and Z. We thus use 
the same notation for the set of Fourier transform components for all three rings. The statement that the 
automorphisms preserve multiplication in O, aj(a/3) = aj(a)<jj([3), when written in multicomponent form 
as a(af3) = a(a)a((3), is the "convolution theorem" of the Fourier transform. The latter, in combination 
with the inverse Fourier transform (see below), is the basis of an 0(N log N) multiplication algorithm (FFT) 
in R, Z and O. 

The map o~n-i corresponds to complex conjugation and will be denoted by the overbar in O as well as 
C: a(a) = a (a). This extends by © to an action on elements of R and Z given by [a]j = [a]N-j, for 
1 < j < N ~ 1, and [a] = [a] . 

The conventional Fourier transform also includes the zero-frequency component ao : R — ► R, where 

N-l 



(T («) := (5) 



is again to be interpreted as a linear map that extends in the obvious way to elements of Z. Linear trans- 
formations a -1 and cTq" 1 , corresponding to the inverse Fourier transform, are defined in the sense of the 
Moore-Penrose pseudoinverse: 

a' 1 := CT t • (a • at)- 1 = lat (6) 
a~ l ■= ^ • (<7 • dj)- 1 = — a} , (7) 

where • denotes matrix multiplication and f is the matrix adjoint. Whereas a ■ a" 1 and <7o • (Tq -1 are respec- 
tively (N — 1) x (JV — 1) and lxl identity matrices, the product 



7T := a Q •<ro=ff 



( 1 



\1 ••• 1 



(8) 



is the projector to the ideal ($jv) in R. Similarly, a 1 - a is the projector onto the orthogonal complement, 
R±, where orthogonality is with respect to the Euclidean norm: 

|H| := (a (a) 2 + a(a)-a(a)) /N (9) 
= a* • tto • a + oc" ■ (1 — 7ro) • a (10) 
= a* -a. (11) 

The Euclidean norm for elements a E i?x, 

[|a[|_L := a {a) ■ a(a)/N , (12) 

is also the appropriate norm in the quotients i?/($j\r) an d O. Some of the interest in studying binary 
elements derives from the fact that all binary (3 E R have the same Euclidean norm, \\/3\\ = N/4. 

The autocorrelation a of an element f3 E R, Z, O is given by a = ft/3 and has real, nonnegative Fourier 
transform components: a(fif3) = a(j3)a(j3), and also ao(P /3) = o-q(/3) 2 for f3 £ R,Z. The autocorrelation 



3 



of an element (3 is therefore equivalent to the information in its Fourier transform modulus, and recovering 
(3 from its autocorrelation corresponds to "retrieving its phases". Autocorrelations, and more generally, 
elements with the property a = a, form the real subrings R, Z and O. If (3o € O is binary and (3r is its 
binary counterpart in R, then the corresponding autocorrelations ao = floPo a R = PrPr we related 
by 

Mo = -r 

N (13) 

[a R ]i = [ao]i + j , 1 < i < N - 1 . 



A binary element (3 G O is said to be perfect if its autocorrelation is a rational integer, that is, (3(3 G Z. The 
Fourier transform components of a perfect (3 have constant modulus, since (3(3 = <jj ((3(3) = \ [&{(3)}j\ 2 . For 
any TV, (3 = 1 is perfect; a less trivial example, for N = 3, is the binary element (3 = 1 + (. 



The norm N(a) G Z of an element a G O is defined by 



JV-l (^-l)/2 

AA(a) := [] a» = \a(a)j\ 2 , (14) 

i=i i=i 



and has the interpretation of the index in O of the principal ideal a O. 

3 Bit retrieval 

A generalization of the problem posed in the introduction is the following: 



Bi: Given a G O and the knowledge that a = (3± (3% where (3\ and (32 are binary, find a 
particular such pair (3\ and /?2- 



The security of the proposed signature scheme relies on the intractability of two related problems: 
B2: Given a G O and the knowledge a = (3(3 where (3 is binary, find such a (3. 



B3: Given a finite set A C O and the knowledge that some binary element (3 G O divides every 
q G A, find such a (3. 



In the ring of rational integers these problems correspond to factorization (Bi), finding the square root of a 
perfect square (B2), and obtaining the GCD of a set of integers (B3). Of these, only factorization remains 
intractable, the square root and GCD being computed efficiently by Newton's and Euclid's algorithms re- 
spectively. The failure of unique factorization in O, already for N > 23 [MM], implies that a Euclidean 
algorithm is not available for efficiently solving B3 in these rings. Although B2 and B3 are clearly easier 
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than Bi, what makes the ring O attractive is that even the former problems appear to be intractable when 
the size of the problem corresponds to N, rather than the sizes of the rational integers in the specification 
(coefficients in the standard basis). It is also for this reason that we restrict the unknown factors or "square 
roots" to be binary. 

Clearly problem B2 becomes easy when the density of O's in the binary element is either very large or very 
small. Rankenburg [R] shows that the symmetric case j3 = (3 also represents an easy instance of B 2 . For 
symmetric f3 the unknown phases are either or tt, and in particular, one of the following equations holds: 
<Ti(/3) = ±Y / ci(a). Solving either equation for the set of unknown binary components of (3 is equivalent to 
solving subset-sum problems of arbitrarily low density (see section |47TT >. and methods based on lattice basis 
reduction [LO] provide a polynomial-time algorithm. 

While the algebraic statements of the bit retrieval problems above seem natural, the most efficient known 
algorithm for solving B2, in particular, is entirely non-algebraic. For this algorithm (section l43t . as well 
as integer programming methods (section 14.2b . what matters is the following formulation as a geometric 
feasibility problem in the ring R. We recall that autocorrelations of corresponding binary elements in the 
rings O and R are simply related by (fT3b . 

Consider two subsets of R: the hypercube 

B := j/?Gi?: \p\i = ±\> 0<i <JV-lj , (15) 

and for any a G R, the set 

T a := {/? G R: 0j3 = a} . (16) 
The restatement of B2 as a feasibility problem is then: 

B' 2 : Given a G R, known to be the autocorrelation of a binary element, find B PiT a . 

When characterized by its Fourier transform, the set T a is recognized as a pair of (N — l)/2 dimensional 
tori. Let (3 G T a , then the definition ( fToT ) implies 

o"o(/?) = ±\Z a o( a ) 

I (IV) 

WM\ = V^iC") ' l<3<(N-l)/2, 

with no further constraints required on the remaining components because of complex conjugation symme- 
try. Using the linearity of the Fourier transform it is straightforward to show that the convex hull of T a is 
given by 

h(T a ) := {/3 G R: M/3)| < y^M, < i < (N - l)/2} . (18) 

Since convex relaxations of constraints typically simplifies feasibility problems, we also consider the convex 
hull of the hypercube, 

h{B) := UeR: \[(3\i\ < i 0<i<N-l\ . (19) 
The convex relaxations that apply to problem B' 2 are summarized in the following: 
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Theorem 3.1. Let a G Rbe the autocorrelation of a binary element; then 

BDT a = h(B) DT a = Bf) h(T a ) 



(20) 



Proof. The equality of these sets follows from the observation that if j3 G h{B) then [|/3|| < N/A and 
equality requires [3 £ B. Similary, if r G h(T a ), then 

AT-l iV-1 AT-l 

^k,(r)| 2 <^a J (a) = ^| C r i (/3)| 2 , (21) 

i=0 i=0 i=0 

where f3 is some binary element. Thus ||r|| < \\f3\\ = iV/4 and equality implies r G T a . Now suppose 
7 G M-B) H T a ; then since 7 6 T tt we know ||7|| = N/4. On the other hand, since 7 G h(B), this norm is 
possible only if in fact 7 G -B. The same argument shows that B n h(T a ) = B n T a . □ 



3.1 Uniqueness in bit retrieval 

For the digital signature scheme considered in section [5] which derives its security from the conjectured 
intractability of bit retrieval, there is no requirement that the solutions to any of problems Bi, B2, or B3 
be unique. As described in more detail in section |6j this scheme only requires, more generally, that it is 
difficult to find any solution with small Euclidean norm. It is interesting nevertheless, to ask what varieties 
of non-uniqueness can occur in bit retrieval. Our remarks here will address problem B2. 

Clearly if (3 G O solves B2 then so does f3. This together with the statement expressed in the following 
lemma characterizes the symmetries inherent in bit retrieval. 

Lemma 3.2. If (3 G O and /3j G O are two solutions of an instance ofB2, then 7 = ±£ fe for some k. 

Proof. Since both solutions must have the same autocorrelation, 77 = 1. This implies (AA(7)) 2 = 1 and we 
infer that 7 is a unit. Kummer's lemma can now be used to rewrite the autocorrelation of 7 with the result 
7 2 = ( k for some k. This shows that 7 is a 2A r -fh root of unity, as asserted. □ 

Beyond the symmetries that apply to any solution, problem instances can suffer from special forms of non- 
uniqueness. One of these has a counterpart in crystallographic phase retrieval [PS] and applies when a 
solution is a product (3 = (3\(32, and neither factor is of the form ±£ fe . It may then happen that [3' = (3\{32 
is also binary and not related to /3 by one of the symmetries discussed above. Since (3 1 has the same auto- 
correlation as f3, it also solves B 2 . An example of this mechanism for N = 13 arises for the autocorrelation 
PP = 3. From the factors ft = 1 + C 2 + C 7 and (3 2 = 1 + C 3 + C 4 one obtains (3 = -( - ( 8 - ( 9 - C 12 
and [3' = —C, — C 5 — C 6 — C 8 as tne two binary solutions. Instances with non-unique solutions, such as this 
one, become very rare as ./V increases. In a set of experiments with 23 < N < 53, random binary (3 were 
drawn from the uniform distribution using a pseudo-random number generator. When the autocorrelation of 
(3 was given to the difference map algorithm (see below), the solution j3' was compared with f3. The fraction 
of solutions (3' not symmetry-related to (3 was found to decrease rapidly with N, as shown in Table 1 . 
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N = 23 


29 


31 


37 


41 


43 


47 


53 


0.044 


0.024 


0.019 


6.1 x 10~ 3 


2.4 x 10~ 3 


1.4 x 10~ 3 


4.7 x 10" 4 


1.5 x 10~ 4 



Table 1 : Probability of non-uniqueness in bit retrieval 



3.2 Facts concerning the norm 



With N fixed, what characterizes hard instances of bit retrieval? The norm M{[3) of the secret binary element 
(3 G O is a natural candidate and in fact establishes a connection with the subject of cyclic difference sets. 



Theorem 3.3. Let (3 G O be binary, then N([3) < ( 



N+l 



N=l 
) 2 



and equality holds only if (3 is perfect. 



±± for 



Proof. Let /3r be the binary counterpart in R of a binary element (3 G O (see ©); then 
< * < JV-1. Let Hj := \[a(f3)}j\ 2 = \[cr{f3 R )]j\ 2 denote the squares of the corresponding Fourier moduli. 
Using expressions d9l fTTT) for the Euclidean norm and (fT4l for the algebraic norm, we have: 



R 



N-1 
N-1 

n ^ 



iV2 
4 



Applying the arithmetic-geometric mean inequality to the numbers fij we obtain: 

M{(3)< 



N 



iV-l 
2 



(22) 



(23) 



(24) 



Since (3r has an odd number of ±i components, o~q{I3r) 2 > \ and the stated bound on N([3) follows. 
Equality of the arithmetic and geometric means requires that the (squared) Fourier moduli fij are equal, and 
this is one way of characterizing a perfect j3. □ 



We will refer to binary elements that achieve the upper bound in theorem 13.31 as Hadamard because of 
their direct relationship to Hadamard cyclic difference sets. More generally [Ba], a cyclic difference set 
can be defined in terms of the cyclic group G of order N acting on binary elements (3 G R with generator 
cj \ {3 i — ^ xf3. Defining a subset of G by D := {g' L : [f3]i > 0, < i < N — 1}, we can ask if it is possible 
for every nonidentity element of G to appear exactly A times in the set {d\d2~ 1 : di, c?2 G D}. If this is the 
case, and the cardinality of D is k, then 

(N - 1)A + k = k 2 , (25) 

and D is declared a cyclic difference set with parameters (N, k, A). The binary (3 which defines such a 
difference set will then satsify (f3 + \<&n){(3 + \®n) = [k, \, \, . . . , A], that is, (3 will be perfect since 
^ (f3/3) = k — A (a rational integer). A Hadamard cyclic difference set maximizes k — A to the maximum 
value consistent with the norm bound from theorem l3~3l 

N+l 

k - A = . (26) 
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From d25l and d26b one obtains the Hadamard cyclic difference set parameters (N, ^-?r-, ^-g- 3 -), which evi- 
dently require that N = 3 mod 4. 

There is a simple construction of Hadamard cyclic difference sets for any prime N of the form 4m + 3 [Ba]; 
the formula for the corresponding binary G O is given by: 

Wi = 1 ~ 2 ^<i<N-l), (27) 

where the Legendre symbol (i\N) equals 1 whenever i is a square in the finite field of order N, and —1 
otherwise. For certain special values of N, such as N = 2 m — 1 and N = Am 2 + 27, other constructions 
of Hadamard cyclic difference sets are known [Ba]. An example of a Hadamard integer for N = 7 is 

(3 = 1 + C 2 + C 3 - 

The norms of "random" binary integers are typically significantly smaller than the norm of a Hadamard 
integer. This is made precise in the following theorem. 

Theorem 3.4. Let (3 £ O be treated as a discrete random variable with uniform distribution on the set of 
binary integers; then as N — > oo the random variable S := log jV(/3) has expectation value 

E(S) = i (log (N/4) - 7 )N, (28) 
where 7 = 0.577215 . . . is Euler's constant. 



Proof. Define the random variables Zj := o~j((3) £ C, 1 < j < Each Zj is the sum of N independent 

two-valued random variables, for which the Lindeberg criterion [Bi] is easily verified. Thus as N — > 00 
each zj = xj + iyj is normally distributed in C with distribution 

P(zj)dxj dyj = — ex P ( — 4|zj| 2 /iV) dxj dyj . (29) 
The desired expectation value may now be calculated as follows: 

E(5) = E(E^r 1)/2 log|^| 2 ) (30) 

n r 

~ — \og\z\ 2 P(z)dxdy (N -> 00) (31) 

= — log (tJV/4) e"' tft , (32) 



and the stated result ( 12 8 1 follows. □ 



The norm of a random binary integer is thus smaller by a factor of order exp (— r yN/2), relative to the norm 
of a Hadamard integer. Below it is speculated that this may account for the fact that the difference map 
algorithm typically requires many more iterations for the retrieval of a Hadamard instance. Although the 
difference map algorithm is non-algebraic and works with the geometric formulation B' 2 , the norm is still 
relevant because of the fact expressed by the following theorem. 
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Theorem 3.5. Let (3r be an embedding of '(3 £ O in R, 



[Pr]o = r (33) 
\Pr], = \0\j+r, l<j<N-l, (34) 



where r £ R is arbitrary. Then 

'8vr 



2 Ar ~ 1 

vol(T«) = 2(^ * VWW), (35) 



where T a is the torus defined in (176*1) a«<i specified by a = (3r[3 r . 



Proof. Consider a point r G T a . From (flTt we infer 

(T (r) = ±Wo(0r)\ (36) 
= kj(/3fl)|exp% = kj(/3)|exp% , (37) 

where the angles ^ for j = 1, . . . , are arbitrary and related to the others by 0j = —4>N^j. This shows 
that topologically T a comprises two smooth tori of dimension ^p". The angles 4>j serve as convenient 
coordinates in the explicit representation for a general point r G T a : 

t = ±a^ ■ \<t (Pr)\ + a' 1 ■ \a((3)\ expi0 . (38) 

The computation of the volume is now an elementary exercise in calculus and leads directly to the quoted 
value. □ 



4 Algorithms 



Bit retrieval falls within the scope of at least three algorithmic frameworks: (i) algebraic number theory, (ii) 
integer programming, and (iii) phase retrieval. We describe below all three as they apply to problem B2, or 
its geometrical formulation B' 2 . Problems Bi and B3 are almost indistinguishable from B2 within the alge- 
braic approach, whereas the integer programming and phase retrieval techniques first require geometrical 
reformulations of Bi and B3 before these methods can be applied to them. 



4.1 Algebraic number theory 



In the algebraic approach the secret binary integer (f3 in problems B2 and B3, [3\ or fi% in Bi) is first identified 
by the principal ideal it generates in O: I = {(3). This task is relatively easy and almost insignificant in 
comparison to the subsequent task of finding a binary generator of /. There are algorithms [Co] that take 
as input the generators of an ideal I and return a single generator 7 if / is found to be principal. This 
would appear to be a good technique, since the desired binary generator j3 can then be expressed in the 
form [5 = wj, where u is a unit. However, algorithms for principal ideal testing require information about 
the class group of O, making this approach prohibitive already for N > 67 [Bu]. An alternative, used 
in the algorithm below, is to work only with the lattice structure of / and seek a binary element (3' € I 
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without the guarantee that (/?') = /. Since there are so few binary elements in /, a practical approach is 
to enumerate them completely using the Fincke-Pohst algorithm [FP] and thereby discover the particular 
element that generates /. The complexity of the algebraic approach is thus determined by the complexity of 
an associated lattice search problem. 

An example with N = 23 should serve as a substitute for a formal specification of the algorithm. The 
identity of the secret binary (3 is contained in its autocorrelation a = (3/3, say 

a = -[5,7,4,5,7,7,5,6,8,6,6,6,6,8,6,5,7,7,5,4,7,5] , (39) 

or in products 71 = (3(3\, 72 = (302, etc. Suppose we are given just two: 

71 = [3,0,0,2,0,-1,-1,1,0,-2,0,0,1,2,0,3,2,0,2,2,2,-1], (40) 

72 = [0,2,0,-1,0,1,0,1,0,0,-1,-1,0,0,-1,1,1,1,1,0,0,0]. (41) 

Using efficient algorithms (see [Co]) the ideals generated by a, 71 and 72 can be factored into prime ideal 
factors with the following result: 

(a)=hhhh (li) = hhh (l2) = hhhh (42) 

h = h = (47, 15 + C) h = U = (5843, 1833 + (43) 

I 5 = (174157, 61966 + h = (47, 13 + I 7 = (1979, 152 + (44) 

As an example of an instance of problem Bi we would be given only 71, say, and the factorization d42l 
would provide us with eight candidate factorizations of ((3). This includes the rare possibility that (3 is a 
unit. The number of trial factorizations to explore will almost always be small, and this is especially the case 
for the other two bit retrieval problems. In problem B 3 we have factorizations for both (71) and (72), giving 
only four possible factorizations of ((3). Moreover, the random origins of (3\ and /?2, say in a digital signature 
scheme, would imply ((3) = with high probability. Finally, in problem B2 we know that a decomposes 
into a complex conjugate pair giving only two possibilities to consider, ((3) = /1/3 and ((3) = I1I4. 

For each candidate factorization, the number of which will be small, another standard algorithm [Co] returns 
the lattice basis of the corresponding ideal product in Hermite normal form. Given this basis we can in prin- 
ciple determine if the lattice contains a nonzero binary vector. From experiments with ideals generated by 
random binary elements we find that with high probability the Hermite normal form basis has the following 
simple form: 

Vj := aj ( + C j (l<j<N-l). (45) 
This is also the case for the correct factorization choice in our example, ((3) = where 

a =[274620, 218518, 159293, 98597, 171309, 37690, 214991, 11132, 50442, 252742, 78333, 

231057, 55808, 42203, 207268, 79601, 242822, 193340, 248383, 212667, 72735, 58266] . (46) 

We note that a\ + 1 = 274621 = M{(3). In general, lattices of high index are unlikely to contain any 
nonzero binary vectors, in particular, the secret (3. Given a "random" lattice of index M{(3) one expects 
to find (2 N ~ 1 — l)/N((3) binary vectors, a number which vanishes with N as (Ne^ 1 /16)~ N ^ 2 using the 
asymptotic result of theorem l3~4l We may therefore conclude that an exhaustive search for nonzero binary 
vectors in the lattice generated by the Vj will either yield no results, as in fact happens when the wrong 
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algorithm 


N = 23 


29 


31 


37 


41 


43 


47 


53 


algebraic number theory (kant4) 


0.8 (sec) 


9.9 


31 


3800 


62000 


* 


* 


* 


integer programming (bonsaiG) 


0.2 (sec) 


27 


7.2 


79 


8000 


4300 


11000 


* 


phase retrieval (difference map) 


< 0.1 (sec) 


< 0.1 


< 0.1 


< 0.1 


0.4 


1.1 


0.5 


2.9 



Table 2: Timing results for three bit retrieval algorithms on 7r-sequence instances 
for software running on a single 1.67 GHz Athlon processor (* time limit ex- 
ceeded). 



factorization (/3) = I1I3 is tried, or will produce just the desired solutions 1 < i < N. Any binary 
element j3' produced by the search must be tested against the given autocorrelation a since, as an element 
G (f3), we only have the guarantee that a divides j3'/3'. This does not pose a problem in practice since 
j3' j3' 7^ a implies M{[3') > N((3), corresponding to an even smaller expected number of binary vectors 
with the incorrect autocorrelation. For the example above, in fact, the search found only the true solution 

/3= [1,1, 0,0, 1,0, 0,1, 0,0, 0,0, 1,1, 1,1, 1,1, 0,1, 1,0] (47) 

and its 22 multiples with powers of (. 



For lattice bases of the form d45l . the problem of finding a binary vector is closely related to a subset sum 
problem. Let A = {02, «3, • • • ajv-i}. then finding a binary vector is equivalent to finding a subset A' C A 
with sum Y,(A r ), such that X(A') £ {0, 1} (mod jV (/?)). Because the subset sum problem is known to 
be NP-complete [GJ], this approach to bit retrieval cannot guarantee a polynomial-time solution. However, 
by expressing the subset sum problem as a shortest lattice vector problem, Lagarias and Odlyzko [LO] 
showed that instances with sufficiently small density d can be solved efficiently using lattice basis reduction 
algorithms, where 

d := 4l T • < 48 > 

Evaluating this for bit retrieval instances, where \A\ = N — 2 and a < N((3) for all a G A, we obtain 

d > N ~ 2 N ^°° (49) 

log 2 Af(/3) log(JV/4)- 7 ' 

using the result of theorem 13.41 The bound d49l violates the criterion found by Lagarias and Odlyzko, 
who showed that d must be no greater than 0(1/N) in order for the LLL polynomial-time basis reduction 
algorithm [LLL] to succeed in solving the subset sum problem. 



The Fincke-Pohst nearest vector algorithm [FP] would appear to be the best technique for finding a binary 
vector since it guarantees a solution regardless of density while also taking advantage of LLL basis reduc- 
tions. When given the generators Vj and target vector [5, • • • ,5], this algorithm returns all binary vectors 
in the lattice generated by the Vj. Table 2 gives running times for the kant [K] implementation of this 
algorithm on bit retrieval instances up to N = 41. All instances were generated by taking the leading N — I 
base 2 digits of ir = 11.001 ... as the components of the secret binary integer j3 G O in the standard basis. 
These same "7r-sequence" instances, (3 = hn, were used to test the other two algorithms discussed below. 
The solution given in d47t is 7^3. 



It is probably no coincidence that the long running times for N > 31 coincide with the relatively abrupt 
onset of the LLL algorithm's inability to discover generators for ideals {(3) when given a lattice basis in 
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N = 29 


31 


37 


41 


43 


47 


53 


0.923 


0.851 


0.504 


0.232 


0.158 


0.070 


0.011 



59 
0.002 



Table 3: Success rate of principal ideal discovery by LLL basis reduction 



Hermite normal form. Results for the latter problem are shown in Table 3. In these experiments LLL 
reduction was applied to the Hermite normal form basis of the principal ideal generated by a random binary 
element f3 € O. A successful instance of principal ideal discovery was declared if one of the reduced basis 
elements v'- satisfied A/"(u'-) = M(/3). From the results in Table 3 we see that the success rate vanishes 
rapidly with increasing N, beginning at about N = 31. 



4.2 Integer programming 

The form of the feasibility problem B' 2 that is most amenable to the techniques of integer programming is 
that given in theorem l3~71 of finding an element in the intersection B n h(T a ). Although h(T a ) is convex, 
standard integer programming algorithms based on linear relaxations also require that this set be defined by 
linear inequalities. We therefore make the further relaxation of replacing h(T a ), geometrically a product of 
disks, by a product of squares (and one interval): 

sh(T a ) := {f3 e R: \a (f3)\ < VM<*) , 

I I 1 (50) 

M<rM)\ < > \*(°i(P))\ ^ V^' (a) ' 1 - j - N - 1 j • 

Since h(T a ) C sh(T a ), all bit retrieval solutions are contained in B n sh(T a ). Although we cannot rule 
out the possibility B n sh(T a ) / fin h(T a ), this is a concern only if the relaxed problem admits too many 
additional solutions. Experiments show that in fact this is not the case: only bit retrieval solutions were 
found in all the instances studied. 

In standard linear programming notation, the feasibility problem for B n sh(T a ) is expressed as: 
find: b G {—5, 

such that: \C ■ b\ < a and \S ■ b\ < a 

where: a t = \fa^a) Cij = cos (2mj/N) Sij = sin (2mj/N) (0 < i, j < N - 1) 

This linear program comprises exactly 2N independent and nontrivial inequalities for N binary variables. 
Somewhat unusual is the fact that the coefficient matrices have nearly unit density. Solution times for the 
general-purpose solver bonsaiG [Ha] on the 7r-sequence instances are given in Table 2. Over the limited 
range studied, it appears the performance of the integer programming algorithm is somewhat better than that 
of the algebraic number theory based algorithm. 
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4.3 Phase retrieval 

Because the constraints in phase retrieval are typically nonconvex, very different solution strategies have 
evolved to solve these problems. Although not true algorithms in a strict sense, with a bounded running time, 
these methods are very successful and are not likely to be replaced by more rigorously defined algorithms 
in the near future. Here we apply a general purpose phase retrieval method, the difference map [El], to 
problem B 2 . The difference map applies to the general feasibility problem of finding an element in A n B, 
where A and B are arbitrary sets in a Euclidean space. Practical implementations of the difference map are 
limited to situations where the projectors and rig, to respectively the sets A and B, can be computed 
efficiently. A brief description of the method is given in the Appendix. 

We choose for our two sets the torus T a and hypercube B (as instances of the general sets A and B of the 
Appendix); experimentation indicates there is no advantage in using either of the convex relaxations given 
in theorem l3~T1 The projectors Tlx a and rig are maps R — > R where 

U Ta := Oq 1 ■ n • a + a' 1 • g • a (51) 

is more naturally expressed in terms of the projectors Ilo : K — > K and n : C^ -1 — > C^ -1 . The projectors 
n b and n act componentwise and the action of all three projectors on components p;,^ S 1 and pj £ C 
takes a similar form: 

n (po) 

5(&) 

That all three are distance minimizing is immediately clear given the two ways ^\ fTTT > of expressing the 
Euclidean norm; the definitions for the exceptional cases (pj = 0, etc.) are arbitrary but apply to sets of 
measure zero and therefore never arise in actual computations. 

The difference map with parameter (3 = 0.7 (see Appendix) found solutions for bit retrieval instances 
significantly faster than either of the other algorithms (Table 2). Figure 1 shows results for the 7r-sequence 
instances in the range 29 < N < 109 and the significantly more difficult Hadamard sequences for N = 
31, 43, 47 and 59. Several runs were performed for each instance in order to reliably obtain the mean number 
of iterations Iq required by the algorithm to find the solution. From the overall linear variation of log 2 (io) 
with N of the 7r-sequence instances, one obtains the estimate 2 cN for the average-case complexity, with 
c 0.22. The complexity is dominated by the exponential number of iterations performed, since the time 
required per iteration grows only as 0(N log N) (from FFT computations). The Hadamard sequences were 
selected for study because they saturate the norm bound (theorem l3.3t . For these instances the complexity 
of the algorithm follows a distinctly steeper exponential growth, with c 0.69. 
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l/2( Pl /\p t \) if^O, {0<1<N _ 1) (52) 
1/2 otherwise. v ~ ~ ; v 



y /ao(a) (po/\po\) ifpo/0, 

y oo(a) otherwise. 

V°j(a) (pj/\pj\) if Pj 7^0, 

J <7j (a) otherwise. 



(53) 

(l<i<iV-l) (54) 




Figure 1 : Complexity of the difference map algorithm for two sets of bit retrieval 
instances. Plotted vertically is log 2 (Iq), where Iq is the mean number of iterations 
performed by the algorithm. Instances fall in the range 29 < N < 109 (horizon- 
tal axis) and include 7r-sequences (solid circles) and Hadamard sequences (open 
circles). 



5 Public key signature 



The economy of hiding binary sequences within their autocorrelation almost rivals that of the RSA scheme 
of hiding a pair of large primes within their product [RSA]. As for the task of retrieving binary sequences 
from their autocorrelation, the survey of algorithms in the previous section lends some evidence to the 
possibility that bit retrieval may be even harder than factoring large integers. These two considerations 
combined, economy and intractability, provide motivation to design cryptographic systems based on the 
one-way nature of the autocorrelation operation. Below we propose a digital signature where private and 
public keys are related by this one-way function. In its broadest description this scheme belongs to the class 
of cryptographic systems based on lattices (see [MG]), a notable example being the NTRU system [NTRU] 
whose lattices, as here, are ideals of the ring Z. The characteristic of the new scheme that represents a 
departure from other lattice-based systems, including NTRU, is the simplicity of the relationship between 
private and public keys. In that the latter can be viewed as the product in an algebraic number field, the RSA 
relationship between private and public keys provides a natural point of comparison. On the other hand, 
by using the degree of the number field (N — 1) as the security parameter, and in particular not having the 
benefit of a Euclidean division algorithm, the new scheme enters largely unexplored territory. 

A brief description of the scheme developed below begins with Alice, who wishes to apply her signature 
to a piece of data. We consider two closely related situations: (1) Alice signs a general digital document 
by attaching her signature, and (2) Alice signs data that may even be analog in nature by modifying it 
irreversibly. The term watermark will be used when referring to case (2). In both cases the input to the 
signing operation is an element p € R. The watermarking situation is the most straightforward, where p is 
simply a set of N samples of say an audio signal or grayscale image. We assume the individual samples 
are measured to sufficient resolution such that when rescaled to unit resolution the corresponding elements 
p G Z have a large range, say < [p]i < M with M = 2 8 , for example. In the more general situation (1), 
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we assume that the element p G Z is the output of a public message digest (one-way hash function), applied 
to the digital document. 

Alice's private key is a secret binary integer (3 G O that defines a map Sp: R — > Z which sends the input 
p to an element pp 6 Z with the property ^(pp) £ (30. In essence, the signing operation corresponds 
to quantization of the "cyclotomic content" of p on a secret principal ideal. A key property of the signing 
map is the guarantee ||p — pp\\ < A, where A is a parameter. In the watermarking scenario this is clearly 
important if the signed data is to serve as a substitute for the original. More significantly, particularly when 
signing a message digest for which fidelity is not an issue, the smallness of A provides security against 
forgeries. 

By signing the data Alice hopes to be able to assert her authorship when challenged, for example, by Bob. 
Moreover, Bob may independently have an interest in establishing the authenticity of data attributed to Alice. 
Both needs are met if Alice publishes the autocorrelation of her private key, a = (3(3. To verify authorship or 
authenticity, Bob must check two things. First, he computes the autocorrelation of the data in O, ^(pp~pp), 
and checks for divisibility by Alice's public key a. If a does not divide ^(pppp), then Bob concludes the 
data is not quantized on Alice's secret ideal (3 O. Second, in the message digest scenario, Bob applies the 
public hash function to the document to obtain p and checks that \\p — pp\\ < A. If the inequality is violated 
Bob concludes that the signature was forged. In the watermarking scenario, where Bob does not have access 
to the original p, the violation of this inequality manifests itself in a signal, image, etc. that is so distorted to 
be immediately suspect. 

The security of this scheme rests on two assumptions: (1) extracting Alice's private key from her public key, 
or bit retrieval, is computationally infeasible, and (2) without access to Alice's private key it is infeasible to 
compute good quantizers for her secret ideal. Attacks which test these assumptions will be refereed to as 
"direct" and "counterfeiting", respectively. 



5.1 Key generation 

From the empirical complexity estimate 2 cN , c « 0.22, for the fastest known algorithm, it appears that bit 
retrieval becomes effectively infeasible for relatively modest values of N, say N > 250. Once N is fixed, 
the success of bit retrieval by the difference map can be further diminished by increasing the norm of the 
private key (3, as implied by the observed correlation between the latter and the average number of iterations 
performed by the algorithm (Fig. 1). Since the norm can be calculated efficiently, a practical method for 
optimizing the key is to simply generate a large number of binary integers using a pseudo-random number 
generator and select the one with the largest norm. 



5.2 Signing 

The process of signing an element p G R (data, message digest) is accomplished by the map Sp: R — ► Z 
defined by 

Sp(p) := ■ a (Qp(p)) + tt (p)\ , (55) 
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where Qp : R — ► (3 O is the quantizing map that requires the private key j3, and [ J rounds each component 
in the standard basis to the nearest integer. Since Qp(p) G O, we have a -1 • a {Qp{p)) = a + q &n for 
some «eZ and q G Q. Moreover, since 7ro (p) = r <£]v for some r G R, all components acted upon by the 
rounding operation have the same fractional part and we have 

Spifl) = (J- 1 -a (Qp(p)) + 7T (p) + e , (56) 

where |e| < |. From d56l ) we infer that ^(S^p)) = Qp{p) and ttq(S/3(p) — p) = e§N, showing that Sp 
preserves the cyclotomic "codeword" Qp(p) and the embedding in Z achieves the minimum distance when 
projected onto the ideal M &n- 

The quantizing map Qp seeks to find the element of the ideal (3 O that minimizes the Euclidean distance to 
p in the orthogonal complement of M &n, the space R± = R/ (<&at). Since this closest vector problem is 
hard for the arbitrary ideals (lattices) specified by f3, we use an approximate but computationally efficient 
form for Qp. For arbitrary p G R, define 

Qp{p) ■= P Qo {o-- 1 ■ (a{p)/a{(3))) , (57) 

where the division sign denotes componentwise division and Qo is the quantizer R± — > O for the norm 
dT2l . For (3 7^ this map is well defined since the complex numbers aj{[3) will all be nonzero. 

The problem of computing Qo (7) for 7 G is equivalent to vector quantization for the dual of the root 
lattice An -1 and is treated by Conway and Sloane [CS]. In the following we describe the algorithm given 
by Scheidler and Williams [SW] in the context of Euclidean division algorithms for cyclotomic fields. We 
first obtain [7] G Z by taking the floor of each component in the standard basis. The fractional parts 
of the components are then sorted to obtain a permutation {po ••• Pn-i} of {0 ... N — 1} such that if 
7 — LtJ = SfcLo 1 e i xP *> tnen e o < e i • • • < ejv-i- Using this permutation we recursively generate the 
sequence 70 • • • 7jv-i> where 70 = [7J an d 7«+i = 7? + x Pt . The quantizer is then given by Qo{l) = 
$(7i), where i identifies the element of the sequence that minimizes H7 — 7i||j_. From the geometry of the 
fundamental domain D C R± of O (see [CS], [L]) one obtains the following bound on the quantization 
error: 

iV 2 - 1 

||7-Qo(7)IL<^2j\T- (58) 

The mean-squared quantization error Ao is defined as the expectation value of H7 — QoWIU when 7 
is uniformly distributed over a region in R± that is large enough that edge effects can be neglected, or 
equivalently, where 7 is uniformly distributed over D. A formula for Ao, useful for small N, is given in 
[CS]. 

When N is large a good alternative to the quantizer Qo is the simpler map Qz : 7 1— > ^( [7J ). For uniformly 
distributed data one can show [E2] that the improvement in the quantization error, of Qo over Qz, is almost 
always negligible as N — > 00, a fact that also implies the asymptotic limit Ao ~ j|. The approximate 
quantizer Qz can be computed somewhat faster than Qo- 

A quantitative measure of the fidelity of the signed data is the evaluation of the mean-squared quantization 
error A^ of the map Sp. 

Theorem 5.1. For the signing map specified by A55i and uniformly distributed data p G R 

Ag := E(||S a (rt-p||) (59) 

= ~(^ £ I«/'IU + ^) (60) 
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Proof. The calculation combines the two forms of quantization error already discussed. The arguments 
leading to d56l show that the real number e defined by 

Spip) -p = o-- 1 - (o(Qp(p) - a(p)) + e <5> N (61) 

is uniformly distributed in the interval (—5, 5) when p is uniformly distributed in R. For quantization in 
R± by Qo we have the statement that 6 G R± defined in 

Qp(j>) = (<r _1 ■ (<r(p)/a(f3)) + 6) (62) 

is uniformly distributed in the fundamental region D of O. Moreover, the distributions of e and 5 are clearly 
independent. From d62b we have 

a(Q p ) = a(p)+a((3)a(5) , (63) 
with the result that doTt may be rewritten as 

S (3 (p)-p = a- 1 -(a((3)a(5))+e^ N . (64) 

Taking the norm of (l64l we have 

\\S p {p)-p\\ = \\<j~ 1 ■(a((3)a(6))\\ ± +e 2 N (65) 
= i (a(/3)a(S)) ■ (a((3)a(6)) + e 2 N . (66) 

What remains is taking the expectation values E(e 2 ) = ^ and for 1 < j < N — 1, 

EfoO^-Oy)) = ^EK{)^(5)) (67) 
A E(P|U) (68) 



N —1 

N 

N-l 



A , (69) 



since the left side of d67t is clearly independent of j. After applying these averages to d66t we obtain the 
result (J^njl for the mean-squared quantization error: 



j'=i 

A ^ ... _ iV 



j'=i 

JV-l 

Y _ T E^(^) + ^ (71) 



□ 



The most direct way of assessing the fidelity of a watermark is by comparing the root-mean-squared quan- 
tization error per component for uniformly distributed data, 
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with the range of values in the data. We are primarily interested in <5 rms when (3 is a random binary key and 
N is large. If (3r is the corresponding binary key in R, then = \\Pr\\ — co(/5i?,) 2 /-^ ~ N/4, since 

co(Pr) = 0(V~N). Combining this with d6Qb and Ao ~ ySj, we obtain 

oo) . (73) 

In the image watermarking application of section^ for example, the elements of data are blocks of N = 379 
pixels, and the range of each component (pixel) is an 8-bit integer. Signing an image with the map Sp thus 
modifies each pixel (±) by 5 Tms 2.8, or about 1% of its range. 

Associated with the application of a watermark is a loss of information that can be used as a means of 
normalization when comparing with other schemes. The map Sp is an example of a lattice quantizer, for 
which the lost information content corresponds to the volume V of the region in R that maps to any particular 
"codeword" in Z. Since this region comprises the product of a unit interval in M$jv with a fundamental 
region of j3 O in R±, we have V = M{j3). The standard normalization applied to the root-mean-square 
quantization error per component is the following [CS]: 

G ■■= (™) 

e 7 

~ — « 0.148423 ... (N -> oo) , (75) 

where d75b was obtained using d73b and d28b for random binary keys j3. When the input to the signing 
operation is already a digital document, this value can be compared with Wong's watermarking scheme 
[W]. In Wong's scheme the least significant bit of each element of a block of data is replaced by the output 
of a one-way hash function applied to the block. The parameters for Wong's watermark are thus 5 rms = \, 
V = 2 N , giving the slightly better value G = |. On the other hand, for analog data Wong's watermark can 
only be applied after a digital encoding step has made its own contribution to the net quantization error. For 
large N, Zador's analysis of random quantizers [Za] gives the bound G > l/(27re). 



A noteworthy property of the signing operation, as well as the verification step (below), is that it can be 
efficiently implemented without the need for arbitrary precision arithmetic: a finite precision general purpose 
FFT can perform all the necessary ring multiplications and divisions in a time that grows as iVlogiV. 
Assuming that the Fourier transform coefficients of the key, a {(3), are computed only once during the signing 
of many data items, a total of four FFTs are performed in the computation of Sp (p) for each p. Since all 
the other parts of the computation (quantizing with Qz, etc.) only involve O(N) arithmetic operations, the 
overall complexity of signing is nearly linear in the size of the data, 0(N log N). Verification is the stronger 
test of the finite precision arithmetic in that autocorrelations are involved. Tests with 12-bit data showed that 
standard double precision arithmetic was adequate for N < 1000. 



5.3 Verification 



To verify that a digital document has been signed by Alice, Bob makes use of four things: the message 
digest p G R resulting from the application of a public one-way hash function to the document, Alice's 
signed modification pp = Sp(p) G Z, Alice's public key a G O, and the fidelity parameter A. He first 
applies the verification map V a : Z — > R± 

Vaipp) ■= o"" 1 • [a(pppp)/a(a)) , (76) 
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and checks whether V a (pp) G O. Recall that if pp is quantized with Alice's private key (3, then a(pp) = 
a{(3^) for some 7 G O. Since a = (3(3, Bob computes 



and concludes that V a (pp) G O. When unsuccessful, V a (pp) is a non-integer in the cyclotomic field Q[C], 
that is, not all components in the standard basis will be integers. 

A fast, finite precision arithmetic implementation of this first part of the verification requires two FFTs, not 
counting a (a), which is computed once in the course of verifying a large stream of data. With the first 
FFT Bob computes a(pp); he then squares the modulus, divides by <r(a), and applies the inverse FFT to 
the result. To check for membership in O, he obtains the fractional parts of the components in the standard 
basis and compares these with zero, making allowance for the finite precision in the calculation. 

To complete the verification Bob checks that \\p — pp\\ < A. The parameter A is chosen to guard against 
forgeries. As discussed below, there is a significant gap between the range of distances \\p — pp\\ realized 
by Alice's quantizers pp and quantizers that can be computed by a forger. This gap grows with N so that A 
need not be specified precisely when N is large. In watermarking applications the last step of the verification 
cannot be performed because the original p is not available. Instead, the poorness of the forger's quantizers 
have the effect of introducing so much noise to the signal or image that the authenticity of the signature is 
immediately called into question (see sectionQl. 



6 Security 

Eve has at least two ways of undermining this signature scheme: she can attempt to determine Alice's 
private key (3 from the publicly available data, or she can sign data with a substitute for Alice's key and hope 
that nobody notices. It appears that both forms of attack, respectively direct and counterfeiting, become 
prohibitively difficult for reasonable values of N. 



6.1 Direct attack 

Since Eve has access to Alice's public key a = (3(3, as well as multiple signed data elements, p\ = (3~/i, 
P2 = /?72i • • •, it is fortunate (for Alice) that Euclidean algorithms cease to exist beyond A = 19 [MM] that 
Eve might use to extract the common divisor (3. An alternative approach for solving these instances of prob- 
lems B2 and B3 is to use the algorithms of algebraic number theory, as illustrated in section |4~T1 However, 
neither this approach nor the integer programming method for solving B' 2 was found to be competitive with 
the phase retrieval algorithm. The time complexity of the latter was investigated in section 1331 and appears 
to be exponential in N. A direct attack is thus infeasible with the currently known algorithms. 



6.2 Counterfeiting 

Since the verification challenge for this signature scheme tests for membership in the ideal (3 O, and the 
inclusion 0j O C (3 O holds for arbitrary 7 G O, data signed with any nonzero multiple of Alice's private 




(77) 
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key, say (3' = /3j, will also satisfy the challenge. Such counterfeit keys are publicly available, from Alice's 
public key a = {3/3, to the numerous elements of data Alice herself has signed: p\ = /3jx, p 2 = /?72, 
What makes these options for counterfeiting Alice's signature generally unacceptable to Eve is that the 
corresponding quantization errors will be large. The derivation of the root-mean-squared quantization error 
per component d72t is valid for arbitrary keys (3' (not necessarily binary) and can be approximated for large 
Nby 



12 

Now if (3' = f3 is a genuine (binary) private key, then the expectation value 



- • (78) 



E(||/3|U) ~ j , (79) 



assuming a uniform distribution on the binary keys, gives the estimate <5 rms ~ \J N/A8 obtained previously 
in {75J- If instead (3' = (3^, then 

E(||/?7lU)~ jIMU, (80) 

where the expectation value is again computed (details omitted) with respect to the uniform distribution on 
binary j3. The counterfeit key thus increases <5 rms by a factor of order \/ 1 1 Tl I _L - If instead Eve chooses to 
sign with Alice's public key, f3' = (3/3, then the expectation value (over uniformly distributed binary (3) 

E(||A3|L) ~ ^ (81) 



shows that <5 rms would increase by \J N/2 over its value when signing with the private key. 

The discussion above suggests making a minor modification to the quantization map d57b that ensures the 
outcomes Qp(p±) = /?7 have factors 7 with some minimum Euclidean norm that grows with N. It was 
already argued that fidelity is not significantly sacrificed when the quantizer Qo is replaced by Qz, and in 
fact this can be generalized to include the quantizer [E2] 

Q z - P±^V([p± + r$ N \) (82) 

for arbitrary r G R. The choice r = \ has a clear advantage when signing a block of data p where 
the components are nearly equal, as in watermarking parts of an image with small contrast. The input 
p± = a^ 1 ■ a (a(p)/a((3)) to is then a random vector with small components distributed around zero, 
for which with r = | produces a random binary integer as output. Quantizing with will thus almost 
always produce factors 7 with ||7||j_ > N/A. In the rare event that this is not true, the signer (Alice) can 
artificially amplify the contrast (by rescaling p±) until this condition is met. 

Eve is also severely limited in how much she can reduce her quantization error through the use of a better 
quantization algorithm. Since the dimensionless mean-squared quantization error is always greater than 
Zador's bound G > 1/ (2-7re) [Za], and Alice's quantizer Sp has G = e 7 /12, Eve can at most hope to reduce 
<5rms by the constant factor 1v /6/(7re l+ T) 0.628. 

Eve can mount a different counterfeiting attack by attempting to solve problem B3. Suppose 71 and 72 are 
two random elements of O, say with bounded components. For large N it will almost always be true that 
71 O + 72 O = O. Since Eve has access to several products (3^\, ^72 , . . . (signed data and public key), she 
can in principle construct the ideal generated by Alice's private key from the fact (3yi O + /3j2 O = (30. 
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In computational terms this corresponds to taking the union of the lattice generators of the two ideals and 
applying some form of lattice basis reduction in order to be able to recognize (3. For counterfeiting purposes, 
however, Eve does not have to succeed in finding (3: rather, she will be satisfied with any element of (3 O 
having a small Euclidean norm. Since this is exactly the kind of problem for which LLL basis reduction has 
proven to be effective, the following experiment was performed. 

For each N in the experiment, twenty "LLL attacks" were performed. The data for each attack was generated 
from three random binary integers: (3 (the private key), (3\ and fa- Available to Eve are the pair, p\ = (3(3\ 
and p2 = (3(32, representing two signed elements of data with small Euclidean norm, say, or one data item 
and the public key. The lattice basis F for p\ O + p2 O was constructed from Ti and T2, where 

T k = {Na- 1 -a(p k C):l<i<N-l} (A; = 1,2). (83) 

The scaling factor N produces an integral basis F for a lattice in R± to which basis reduction can be applied. 
From the construction of F it will almost always be true that there exists a reduced basis V where all the 
generators are binary vectors {(3Q 1 , 1 < i < N— 1) multiplied by N. The minimum Euclidean norm achieved 
for this reduction (after division by the scaling factor N) is therefore \\(3\\± ~ N/4. Computing F' from F is 
difficult, and we limit ourself to the reduced basis Tlll obtained by the LLL algorithm [LLL]. If the basis 
element of minimal norm, ^ m - m G Tlll, has an acceptably small norm, Eve can use it as a counterfeit key. 
As a figure of merit, the output of the experiment was the smallest value of the ratio r = ||7min||_i_/(Af/4) 
achieved for all twenty attacks. Values r ~ 1 indicate a successful attack, that is, where data signed with 
Tmin would not be noticeably more distorted than data signed with Alice's private key. Unsuccessful attacks 
have r > 1 , where larger values result in signed data that is more easily recognized as bearing a counterfeit 
signature. 

Figure 2 shows a plot of r for the range 23 < N < 97. For N < 50 the LLL attack is successful, 
providing Eve with a key in a reasonable time with which she can sign data that would be verified as Alice's. 
Beyond N m 50 the ratio r achieved by the LLL attack increases sharply to values where the computed 
key is not useable. Interestingly, for N > 89 it appears that LLL basis reduction is even counterproductive, 
the resulting 7 m i n having a norm that exceeds the norms ||pi||j_ ~ \\p2\\± ~ (N/4) 2 of the starting basis 
elements (shown as the line with slope 1/4 in Fig. 2). 



7 Image watermarking 

The signature scheme proposed in the previous section, when applied to image watermarking, illustrates 
the role of noise in the detection of forgeries. We recall that increasing the value of the security parameter 
N serves two purposes: (1) the corresponding bit retrieval problem, of extracting the private key from the 
public key or signed data elements, becomes harder, and (2) the quality of quantization with counterfeit keys 
becomes increasingly poor. Here we focus entirely on the second point. 

The creation of forgeries in the present context is known in the watermarking literature as a vector quan- 
tization attack [HM]. Wong [W] introduced the watermarking scheme where Alice modifies each block of 
pixels in their least significant bits by the output of a message digest applied to the block. The forger, Eve, 
is then limited to building her images out of exact copies of blocks that have already appeared in images 
signed by Alice. The set of available image quantizers — blocks bearing a valid signature — in the present 
scheme is considerably larger, being any elements of the lattice specified by Alice's private key. 
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Figure 2: Failure of LLL basis reduction to find a suitable counterfeit key when 
N (horizontal axis) is large. Each data point represents the smallest norm basis 
element 7 m i n found by the LLL algorithm out of twenty trials. The vertical axis is 
the ratio r = \\jjnm \\ i / (N/4), or the excess norm over the reduction corresponding 
to the discovery of the private key. 



There are numerous practical issues that our discussion omits, such as the method of partitioning the image 
into data blocks [Ce]. We are only interested in watermarks that are both invisible and fragile. The latter 
term refers to the property that changes in the value of even one pixel will cause a failure in the verification 
and facilitate the localization of tampering. 

Figure 3 shows the result of applying a digital signature, of the type described in section |5j to a 361 x 420 
pixel grayscale image. The pixels of the image were first partitioned into 19 x 20 rectangular blocks, where 
the dimensions were chosen so that the total number of pixels per block is one greater than a prime, in this 
case N = 379. The extra pixel was left unchanged by the signing operation. To ensure that the final signed 
image has 8-bit integer pixels, a global scaling and shift was applied to all the pixel values of the original. 
Since signing typically modifies a component by ±(5rm S ~ 2.8 (for N = 379), the parameters of the scaling 
and shift were adjusted to bring the pixel values of the original into the range 5 — 250. Frames (a) and (b) of 
Figure 3 are TIFF images using, respectively, the original and signed pixels as raster data. The two images 
are practically indistinguishable, with differences (c) discernible only at artificially high magnification. 

An attempted forgery is shown in (d), where quantization was not performed with Alice's short binary key f3, 
but a much longer counterfeit key (3j. The latter key was taken from Alice's signed image (b), specifically 
from the pixel block with smallest Euclidean norm. Blocks with small Euclidean norm arise in those parts 
of an image where the contrast is small. Recognizing this, image (b) was signed using the quantizer 
(and r = |) which avoids multipliers 7 with small norms. In (b) the smallest norm among the 399 blocks, 
II/^tIU ~ 4697, was considerably larger than that of the private key, ~ 95. The poor quality of the 

resulting forgery is the result of two mechanisms. First, the amplitude of the noise inuoduced by signing, 
or 6 ims , is increased by the factor y / ||/?7||_i_/||/3||_L ~ 7. Second, the increased value of 5 ims requires that 
the range in the pixel values of the original must first be compressed (by rescaling) in order that the signed 
values fall in the range - 255. The second mechanism has the effect of reducing the signal to noise ratio 
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(a) (b) 




Figure 3: Image watermarking application of the digital signature, (a) TIFF image 
of a paper watermark by Pietro Miliani Fabriano. (b) Modification of (a), signed 
with a binary key. (c) Details of original (left) and signed (right) images, (d) Noisy 
image produced by signing (a) with a counterfeit key. 
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of the signed image to practically zero when the counterfeit key ^7 has a sufficiently large norm. 
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9 Appendix: the difference map 

Let A and B be subsets of an iV-dimensional Euclidean space E. For the application discussed in section 1431 
E is the ring R. The specification of the sets A and B is computationally easy, while the task of comput- 
ing the intersection A n B is assumed to be difficult. The difference map is defined in terms of projectors 
11,4 and IL3, which map an arbitrary x G E to points in A and B that minimize the Euclidean distances, 
1 1 Ua (x) — x 1 1 and 1 1 IL3 (x) — x \ \ . Practical algorithms require that both projectors can be computed efficiently 
for any x G E. 

We are interested in solving 

find: x G A n B , (84) 

or equivalently, 

find: x G E such that x = U A (x) = IL B (x) . (85) 

The difference map D : E — > E, defined by [El] 

D(x) :=x + 0(IL B f A - U A f B )(x) , (86) 

is constructed such that its fixed points are simply related to the solutions of d85l . Here [3 7^ is a real 
parameter and the maps f A , f B ■ E — > E are defined in terms of the basic projectors by 

f A := (l+ 7A )n A - 7A (87) 
f B ■= (l+7B)n B -7s, (88) 
where 7^ and ^ B are two additional real parameters. At a fixed point of D, x* = D{x*), we have 

n B f A (x*) = U A f B (x*) := x sol , (89) 

and x so i evidently solves (l85l since 

n A (x sol ) = u A u A f B (x*) = n A f B ( x *) = x sol , (90) 

and similarly when acted upon by IL3 ■ In general x so \ 7^ x* , and the set of fixed points associated with x m \, 

{Tl A f B )-\x so] ) n {Tl B f A )-\x so \) , (91) 

is normally a continuum. The set of fixed points is not empty if a solution x so i exists, since x so i is itself a 
fixed point. 
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The parameters 7^4 and 75 are chosen to make the fixed points of D attractive. Satisfying this criterion 
for arbitrary sets A and B and optimizing convergence is in general difficult [E2]. Here we consider two 
particularly simple examples of the local behavior. First, if the sets A and B are manifolds we can approx- 
imate them by affine spaces in the neighborhood of a solution. After translating this solution to the origin, 
we make the further assumption that the corresponding linear spaces are orthogonal so that the projectors 
satisfy n^n^ = 0. The difference map then simplifies to 

D(x) = x - (3 1a ^b{x) + 13 1b ^a{x) . (92) 
Optimal convergence to the fixed points of D (the linear space ker 11^ n ker IIb) is obtained when 

1A = -IB = 1/P , (93) 

although this assumes both A and B have positive dimension. If either space is a point, then Ua = or 
IIb = and, respectively, the optimal or 7^ remains undetermined. Since this is the case for the set B 
in bit retrieval (hypercube), our second example examines this situation. For simplicity we take N = 1 and 
sets A = 7L and B = {0}. The corresponding difference map is given by 

D(x) =x + p\ lB x\ , (94) 

where [ J denotes rounding to the nearest integer. The set of fixed points is the interval ( — (275 ) ~ 1 , ( 27^ ) ~ 1 ) , 
where the (trivial) local behavior of D is independent of 7^ as already mentioned. However, on a global 
scale we see that convergence requires that (3 and 75 have opposite signs. In fact, optimal convergence is 
obtained precisely when 7^ = —1//?, in agreement with d93l . In the absence of a more comprehensive 
analysis we will adopt the parameter values (l93l suggested by these two examples. 

A special case of the difference map first appeared in the context of image reconstruction from Fourier mod- 
ulus data and an object support constraint. Motivated by ideas from linear control theory, Fienup considered 
three feedback variants in an iterative scheme, the most successful of which became known as the hybrid 
input-output algorithm [F]. In image reconstruction applications of the difference map, A corresponds to the 
torus of Fourier modulus constraints, as in bit retrieval, while B is a linear space representing the support of 
the object in the image. Fienup's formulation made no reference to projectors but coincides exactly with the 
difference map for the parameter values 7^ = 7s = —1, and > [El]. The geometrical represen- 
tation and generalization of the hybrid input-output iteration, made possible by projectors, was recognized 
only recently [BCL, El]. 

When applied to bit retrieval and phase retrieval with atomicity constraints, it is believed [El] that the 
dynamics of the difference map is chaotic and strongly mixing. If true, this implies that the starting point 
of the iterations is largely irrelevant: an initial distribution of starting points very quickly approaches an 
invariant distribution. This property can be strictly true only in the case of ill-posed instances, when there is 
no solution. Solutions represent an exceptional situation, a constellation of fixed points "hidden" within the 
invariant distribution that the chaotic dynamics is attempting to discover. The strongly mixing hypothesis 
implies that every iteration is effectively subject to a fixed probability of being within the basin of attraction 
of a fixed point, after which it quickly converges to an entirely different invariant distribution: the fixed 
point. Thus the number of iterations / of the method is expected to have the probability distribution 

dP{I) = exp (-!//„) (dl/h) , (95) 

where Iq is the mean number. The method is optimized by minimizing Iq with respect to the parameter f3 for 
appropriate test problems. Figure 4 compares the histogram of the number of iterations required to solve the 
bit retrieval instance for the sequence tth with the distribution d95l . The data shown represent 10 4 solution 
attempts, all successful and differing only in the choice of initial (random) iterate. 
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Figure 4: Comparison of the distribution of difference map iterations I, required 
to solve the bit retrieval instance 7T4i, with the exponential distribution predicted 
by the strongly mixing hypothesis. The units on the abscissa give the ratio I/Iq, 
where Iq 9623 is the mean number of iterations. 
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